■ Open Source Threat Hunting Tool

WRAITH

Windows Threat Hunting and Triage

An open-source tool that helps you quickly understand what is happening on a Windows endpoint. Eighteen scan modules surface persistence, processes, YARA hits, rootkits, vulnerable drivers, supply-chain risks, and OSINT threat-intel, with every finding tagged with its MITRE ATT&CK technique. Then act with one-click process kill and an automated quarantine engine.

↓ Download for Windows View Source Learn More

Latest releaseWindows 10 / 1118 scan modules

Why WRAITH

Built for the work, not the pitch.

Detection, response, and alerting in one tool, not three.

Detect Across 18 Modules

YARA, heuristics, persistence, processes, rootkits, vulnerable drivers, supply-chain and more in a single pass, correlated against live OSINT threat-intel feeds and ranked by severity.

Contain On The Spot

One-click process kill (with PID confirmation) plus an auto-quarantine engine gated by a two-stage trust system, so signed and trusted paths are never touched.

Mapped & Wired To Your SOC

Every finding is tagged with its MITRE ATT&CK technique, then pushed to Slack or Discord webhooks and Microsoft Sentinel, all while running alongside Windows Defender.

Investigation

What it helps you answer.

What is running right now?

What is set to persist?

What changed on this endpoint?

What deserves investigation first?

Workflow

Investigation in four steps.

Launch WRAITH

Run the installer or extract the portable build and double-click WRAITH.exe on any Windows 10/11 machine. The .NET runtime is bundled, with no SDK or Python to install.

Run the Scan

Hit EXPECTO PATRONUM and all 18 modules sweep the host: processes, persistence, YARA, rootkits, vulnerable drivers, threat-intel and more.

Review Findings

Findings stream into one dark-themed dashboard, ranked by severity. Filter from CRITICAL to INFO in real time without re-running.

Respond & Alert

Kill live processes, auto-quarantine confirmed threats behind trust gates, and push alerts to Slack, Discord, or Microsoft Sentinel.

› WRAITH.exe

✓ runtime bundled · no SDK · elevated (admin)

› EXPECTO PATRONUM

18 modules. ATT&CK-tagged. Ranked by severity. One dashboard.

YARA Scanning

Run signature rules against host artifacts to catch known threat families (APT, RATs, webshells, and malicious scripts) during triage.

Behavioral Heuristics

Entropy analysis, obfuscated command detection, and suspicious parent-child process trees flag activity that no signature covers.

Persistence Inspection

Enumerate registry Run keys, scheduled tasks, startup folders, services, and WMI subscriptions to find what survives a reboot.

Process Analysis

Spot injected threads, hollowed images, unbacked memory, and unsigned binaries running from unusual paths.

Network Inspection

Surface outbound connections to suspicious ranges, unexpected listening ports, and unusual DNS activity.

Event Log Analysis

Parse and filter Windows event logs across a configurable look-back window to surface logon anomalies and system changes.

CISA KEV Correlation

Cross-reference installed software against CISA's live Known Exploited Vulnerabilities catalog to flag actively-targeted software.

Supply-Chain Checks

200+ indicators across npm, NuGet, and AI/ML ecosystems: typosquats, dependency confusion, API-key harvesters, and cryptominer drops.

Windows Security Posture

Review firewall state, Defender status, audit policy gaps, and UAC configuration to find weakened defenses.

Rootkit Detection

Hunt SSDT / IDT hooks, hidden drivers, and DKOM object-unlinking indicators that hide activity from the OS.

Alternate Data Streams

Inspect NTFS Alternate Data Streams, a classic hiding place for payloads that standard tools overlook.

Credential Anomalies

Surface SAM / LSA / DPAPI anomalies and plain-text credential indicators left in memory.

Browser Artifacts

Review suspicious extensions, modified hosts files, and malicious bookmark indicators across major browsers.

Defender Integration

Runs alongside Windows Defender, surfacing quarantined items and threat history in the same feed.

Vulnerable Driver Detection

Cross-reference loaded kernel drivers against the LOLDrivers catalog to catch BYOVD: signed-but-vulnerable drivers used to disable EDR or escalate privileges.

Tor Exit-Node Correlation

Match active outbound connections against the live Tor exit-node list to expose C2 channels and data exfiltration hiding behind Tor.

OSINT Threat Intel

Correlate connections, DNS, and file hashes against DigitalSide OSINT feeds: malicious IPs, domains, URLs, and hashes refreshed daily.

Vulnerability Assessment

Nessus-style local checks: missing patches and EOL, privilege-escalation paths, weak service permissions, and hardening gaps (Secure Boot, VBS, Credential Guard).

WRAITH dashboard during a live scan, showing the findings table and console output — The live dashboard. Every row shows severity, module, finding, path or process, and entropy score as the scan streams in.

WRAITH full scan results ranked by severity — Full results ranked by severity, CRITICAL to INFO, color-coded across all 18 modules

WRAITH severity filter dropdown with live finding counts — Filter by severity and category in real time, with live counts and no re-scan needed

WRAITH SOC alert webhook configuration — Push SOC alerts to Slack or Discord webhooks straight from the running host

WRAITH started from a real frustration: doing Windows triage meant jumping between a dozen different tools, manually pulling registry keys, grepping through event logs, and hoping you caught everything that mattered. It takes too long, and it's easy to miss things when you are working fast under pressure.

This tool pulls the most important Windows artifacts together in one place. Running processes, persistence mechanisms, browser history, event log entries, and YARA hits. It surfaces them all in a structured format so you can spend your time thinking about what the data means, not hunting for where the data lives.

WRAITH is not trying to replace your judgment as an analyst. It is trying to get you to useful information faster. The goal is simple: you open it, you see what is on the machine, and you decide where to dig next. No noise, no fluff.

It's built for the people who actually do this work, by people who have done this work. Open source, and focused on the job.

Authenticode Code Signing

A commercial signing certificate so Windows recognizes WRAITH as a trusted publisher and the SmartScreen prompt goes away.

Timeline Visualization

Unified timeline view correlating event log entries, persistence changes, and process activity.

Remote Collection Support

Secure remote data collection from Windows endpoints for centralized triage workflows.

Expanded Forensic Parsers

Additional artifact parsers (prefetch, shimcache, and amcache) to widen coverage during deep-dive investigations.

Portable Windows triage

No heavy setup

Fast artifact review

Built for real investigations